The original pcap-util allowed you to split large dump files into smaller chunks of x MB in size, or to extract packets which fell within a certain time period. A little while later I added the ability to filter the dump using the standard libpcap filtering language. This languag can extract data using most of the structures/fields used in layers 2-4 of the IP stack.

The new version of pcap-util adds two new functions which can be used to search for arbritary strings within the application data of the packet:

1. Modify: This function allows you to search for a regular expression within the capture file, and replace it with another string. This is really useful if a vendor has asked you for a tcpdump, to help diagnose a problem, but you need to ensure that you're not storing or sending any sensitive information within the data. Really useful if you need to adhere to PCI DSS guidelines. An example: Remove all Credit Card numbers from a capture file:

./pcap-util modify input.pcap output.pcap "\d{12}" "XXXXXXXXXXXXX"

2. Search: This function was added by me, and really just re-uses Damiens matchng code, but without the replacement. Search will look for packets containing the data you are searching for and copy them into the output file.